Captive WiFi portals corrupt package lists
Bug #1034834 reported by
TJ
This bug report is a duplicate of:
Bug #756317: Captive portals may corrupt apt translation indices.
Edit
Remove
This bug affects 6 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
I've dealt with several users reporting apt is broken. The cause is corrupted package lists in /var/lib/apt/lists/ caused by captive portals on WiFi networks that are returning HTTP 200 responses but with the content being the captive portal's login page.
apt doesn't realise the content is invalid - it doesn't check the signature - before writing it to the system.
This affects Precise users with apt 0.8.16.
It shouldn't affect Quantal's 0.9.7 since that apparently checks the gpg signatures.
To post a comment you must log in.
Still present in 12.04 LTS, Precise running apt 0.8.16
In my case the corrupted package list files in /var/lib/apt/lists are caused by the router redirecting to an internal help page when it realises that its internet connection is down. So, when a fetch is attempted from, say gb.archive. ubuntu. com/ubuntu/ dists/precise- updates/ universe/ binary- i386/Packages when checking for updates what comes back is the html source from the router's help page (example attached -- line 52 contains the requested url).
It would appear that no sanity check is done on the returned data leaving subsequent parse attempts to choke. The corrupted files remain and may propagate (???) causing other update failures.
On a security note, it occurs to me that an attacker in control of the router could return crafted files in place of apt's package lists to introduce malware as part of the normal automated update process. I trust checks are in place to prevent this???